First time trying to configure a Security Onion server to forward alerts on to a SIEM using the logstash syslog plugin. Have spent the better part of a day reading documentation and still at a loss. The config below is really basic and is forwarding logs on successfully, but the log messages I'm getting contain a ton of noisy information about the log forwarder (see image below). The suggestion in the Security Onion discussion group was to create a pipeline, which being new to this looks like will take a LOT of work to understand. I'm not looking to filter the actual alerts, just not send or reduce the header information between the red brackets (which I'm thinking may just be part of syslog itself), to only send the actual message info, or what's on the trailing end of the "LOGSTASH". Any help would be greatly appreciated since clearly my attempt at filtering "message" does nothing at all.
output {
if [event][module] == "suricata" {
syslog {
id => "Sys_fwd"
host => "10.x.x.x"
port => 514
appname => "LOGSTASH"
codec => json
message => "%{LOGSTASH}"
}
}
}